This story dates back to the early 1980s when I was working for a regional bank in one of the first positions hired specifically to manage computer security. Until then, no employee had been dedicated to system security at the bank, so the measures that had been implemented were very basic or inconsistent.

With a database team and a production team previously established, I initially took over user ID administration from someone in the database group who'd been doing that work on a part-time basis.

Plugging the security holes

As I delved deeper into the issue, I discovered the bank had next to no security on the mainframe's production files. Anyone in the bank who had access to the mainframe's time-sharing system had read-write-purge permissions to all production files. This list included every IT person in the bank, even those who didn't need access to them to do their work.

Amazingly, a few accidental deletions were the only problems they'd had in that time. I drafted a cautious plan to restructure permissions so that programmers could read production files, but could not alter or delete them. Nonprogrammers with time-sharing access would not be allowed to even read production files.

For most functions, programmers only needed to be able to read production files, and the bank already had a process in place if a file had to be updated with a temporary programming change. My plan included a process for them to get management approval when a file required a direct edit.

My boss approved the plan. We expected some pushback from the programmers about the new security measures and braced ourselves accordingly. They didn't disappoint.

After reading the plan, some programmers came by with choice words or questions. The worst was one very irate programmer who stormed into my office and called me a "Nazi" for taking away permissions to "his" files! I patiently explained that the audit folks were finally catching on to our alarming lack of compliance with sound security practices, so we had to make these changes. He wasn't happy, but left without further argument.

Otherwise, the plan was implemented with no issues.

Security means security means security

Then the unexpected happened. The on-site security manager had apparently come to the realization that a new security team had been hired. He took exception to the fact that we were working on "security," but did not report to him. However, his security crew had nothing to do with computers beyond physical security -- meaning guards and access badges. Somehow he felt that we worked with security, therefore we did the same thing. In response, he launched a turf war.

That security manager scheduled a meeting with both my manager and me to discuss the "charter" of our team. He demanded to know what we did -- in detail. My boss started explaining our job, the security manager interrupting occasionally and quivering with anger. When my boss stated that our duties included security, namely user ID management and setting access rights on the computers, the security manager flew into a rage.

He stood up, pounded his fist on the desk, and bellowed, "No! I am in charge of all security at the bank!!!"

I was stunned into silence. My boss was a very sharp fellow and remained completely unruffled. He kept his cool and calmly replied, "It's obvious to me that we are not going to agree on this issue. I will report this meeting to my manager, and I suggest you do the same. If there is a conflict between the charters of our departments, then our managers need to work it out."

My boss told his manager. I did not find out how she dealt with the issue, but our charter did not change, and we never heard anything more about it from the other security manager -- although he was prickly whenever we happened to meet.

This situation could have easily morphed into an unproductive shouting match but didn't, thanks to my boss. Watching it unfold, I vowed to always keep calm in business meetings. It will pay off in the long run -- and it has.

Send your own IT tale of managing IT, personal bloopers, supporting users, or dealing with bureaucratic nonsense to offtherecord@infoworld.com. If we publish it, we'll send you a $50 American Express gift cheque.

Who is Anonymous? It's you, the IT pro, who shares true experiences from the job. Since 2005, the many Anonymous writers have entertained and commiserated with peers through stories of personal blunders, coping with poor managers, trying to communicate with users, and resolving tech problems. Submit your story, and if we publish it in the Off the Record blog we'll send you a $50 American Express gift cheque -- and, of course, keep you Anonymous.